OFBiz OFBiz - Notifications

[jira] [Closed] (OFBIZ-11196) Path Traversal in webtools/control/FetchLogs and ViewFile

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Closed] (OFBIZ-11196) Path Traversal in webtools/control/FetchLogs and ViewFile

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-11196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-11196.
-----------------------------------
    Fix Version/s: 18.12.01
                   16.11.07
                   17.12.01
         Assignee: Jacques Le Roux
       Resolution: Fixed

These are not really path traversal issues. We can't solve them using the traditional way to fix path traversal issues (ie normalising path). Because Fetchlogs and ViewFile are actually reading files and if you have the right to read these files then nothing will prevent you to read them.

The problem is more what those requests are supposed to do. Fetchlogs is supposed to read a log in the log dir and ViewFile is supposed to read a file containing labels (ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to do. This is what I did in ViewFile and FetLogs Groovy files.

Fixed in
trunk r1866920
R18 r1866921
R17 r1866922
R16 r1866923

> Path Traversal in webtools/control/FetchLogs and ViewFile
> ---------------------------------------------------------
>
>                 Key: OFBIZ-11196
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11196
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/webtools
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01, 16.11.07, 18.12.01
>
>
> This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.
> {quote}
> Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host OS by modifying the "logFileName" parameter.
> While the web application submits the affected URL as a POST request, it can be converted to a GET for ease of use.
> Affected URLs:
> /webtools/control/FetchLogs?logFileName
> /webtools/control/ViewFile?fileName
> Screenshots:
> see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png
> {quote}
> That can indeed be easily reproduced at
> https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=../../../../../../etc/passwd
> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=../../../../../../etc/passwd



--
This message was sent by Atlassian Jira
(v8.3.2#803003)
Free forum by Nabble Edit this page